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Overview 




* 



* 



What is the NTAT? 

2011 - 2012 work an( 
accomplishments 
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Tradecraft 



Network Tradecraft 



• “The development of methods, • Usable knowledge about how to 

techniques, algorithms and acquire intelligence FROM the 

processes in order to generate network 

Intelligence, and developing the 
ability to apply this knowledge either 
manually or through automation. 

Tradecraft is developed from 
experience, research, intuition and 
by the reapplication and redefinition 
of existing techniques. Industrial- 
Scale Tradecraft involves data on a 
large scale.” 
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1 Create repeatable - 
sustainable & shareable 

tradecraft to enable 
network analysis 

Facilitate knowledge 
collaboration and 
interchange across the 5- 
Eyes SIGDEV community 
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The Process 




Stage 1 = 

— 



Stage 2 Define Foe (based on Fact 
Finding) 









Stage 3 Develop Tradecraft 




Stage 4 = Document Tradecraft 

t 

— 

Stage 5 = Test Documented Tradecraft and 
Refine 

> — 
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Network Convergence 

Tradecraft 



Technological convergence - where voice 
and data services interact with each other 
on a single device 

Tradecraft to enable the targeting of 
handsets in telephony space and CNE 
exploitation in IP space 

Improved algorithms for mobile gateway 
identification and implementation of these 
algorithms 
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DSD Workshop 
November 2011 







* 



2 weeks 



* CSE, DSD, GCHQ 

Virtually, via chat room, NSA & GCSB 

Focus on data, techniques & analytic 
outcomes 



htt p s:/ /wi ki.dsd /twi k i/| 
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DSD Workshop 
Outcomes 




Technique developed to identify wide variety of potential converged data, 
unique for specific country or mobile network operator 

0 potentially lead to convergence correlation dataset to help profile targets 
on-line activity 

Documentation of techniques to identify specific components of raw HTTP 
activity that alludes to the browsing, downloading and installation of 
smartphone applications 

0 identified the presence of application servers for mobile network operators 
and geographical areas 

DSD implementation of mobile gateway identification analytic based on 
FRETTING YETI 

0 three agencies now running the same analytic provides a richer dataset of 
mobile gateways 

CRAFTY SHACK trial 

0 NTAT now using CRAFTY SHACK for tradecraft documentation 
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XKS Microplugin: 
Samsung Protocol 




eport* * Vew » |2) L'ao Ve* Fit TFRV 



Csc 

KSA 

AUT 

AUT 

AUT 

AUT 

AUT 

AUT 

SKZ 

XSG 

XSG 

XSG 

XSG 

XSG 

XEU 

XEU 

THR 

XSG 

XSG 

XSG 



DeviceJ.1odel 

GT-N7000 

GT-P7500 
GT-P7500 
GT-P7500 
GT-P7500 
GT-P7500 
GT-P7500 
GT -19100 
GT-19100 
GT -19100 
GT-19100 
GT-19100 
GT-19100 
GT-19100 
GT-19100 
GT-B5512 
GT-19100 
GT-19100 



HTTP_User_Agent 

SAMSUNG-Android 

SAM SUIIG-Android 
SAMSUNG-Android 
SAMSUNG-Android 
SAMSUNG-Android 
SAMSUNG-Android 
SAMSUNG-Android 
SAMSUNG-Android 



GT-19100 

OP SECRETfrSI/rF 2012-05-11 06:45:27 
OP SECRETPSir/F 2012-05-13 02:32:35 
OP SECREmi/F 2012-05-11 09:32:34 



SAMSUNG-Android 

SAMSUNG-Android 



SAMSUNG-Android 

nu-tn-n 1KW91 
2012-05-1105:43:22 
2012-05-13 02:32:35 
2012-05-11 0*32:39 




Mnc 

SO 



01 

01 



_M Message_Type 

checkAppUpgrade Request 

checkAppUpgrade Request 
checkAppUpgrade Request 
checkAppUpgrade Request 
checkAppUpgrade Request 01 

checkAppUpgrade Request 01 

checkAppUpgrade Request 01 

checkAppUpgrade Request 20 

getPushNotificationMessage Re 20 
getPushNotificationMessage Re 20 
getDowntoadList Request 20 

getKillList Request 20 

getUpgradeNKillCount Request 20 
getUpgradeNKiltCount Request 50 
getDowntoadList Request 50 

checkAppUpgrade Request 40 

upgradeListEx Request 20 

purchaseDetailEx Request 20 

checkAppUpgrade Request 20 



Network_Ty Odc_Versio >ad«d_ Po*noaded_ Pr«»oeded_i Pretoaded.apps v 

com sec ardrod app t«fntunj*ppsQ2 1 
com.sec.androidapp.samsunyapp 1 



2 6 084 

3.0.021 

3.0.021 

3.0.021 

3.0.021 

3.0.021 

3.0.021 

2.6.148 



2 . 6.122 

2.6.194 

2.6.194 

2.6.048 



com.tec.android.app.semsungepp 1 
com.sec-android.app.samsungepp 1 
com. sec. android app.samsunyapp 1 
com sec android app.samsunyapp 1 
com. sec android app.samsunyapp 1 
com.sec.androkl app.samsunyapp 1 



com secandroid app.samsunyapp 1 
andro*dO2-3.5Q0||ar>drok1.tliQ2.3. 1 



com. secandroid app.samsunyapp 1, 
androtdO2.3.&Q0Uandrotd.UsQ2.3. 1 



com.secandroidapp.samsunyapp 1.0a 
1.0a 

comsec. android app.samsunyapp 1.0a 
androidO2-3.5Q0Uandroid.tUO2.3. 1.0a 
com.secandroidapp.samsunyapp 1.0a 



.• Usar/1 Casenotaton 

EOOHLOOOOOMOOOO 

E90HL 00000 M0000 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 



EOOHLOOOOOMOOOO 
E S DHL 00000 M 0000 



E90HL 00000 UOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 
E 9 Dill. 00000 UOOOO 
ESOMLOOOOOUOOOO 
NFDJR00000M01M 
MEOJROOOOOUOIM 
EOOHLOOOOOMOOOO 
E90MLOOOOOUOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 
EOOHLOOOOOMOOOO 



EOOHLOOOOOMOOOO 

EOOHLOOOOOMOOOO 

EOOHLOOOOOMOOOO 



country Search Request 



EOOHLOOOOOMOOOO 

EOOHLOOOOOMOOOO 
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CSE Workshop 

February 2012 

— — 



1 2 weeks 

* CSE, DSD, GCHQ, GCSB, 
NSA- everyone wanted to 
experience a Canadian 
winter! 

Build on the work started at 
DSD 



Winter Nirvan 
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CSE Workshop 
Outcomes 




Refinement of XKS fingerprints to identify mobile bearers, Samsung and 
Android Marketplace servers 

0 17 XKS fingerprints deployed 



Documentation of analytics in CRAFTY SHACK 

0 These analytics are now being implemented across the 5 Eyes 

Proving the tradecraft actually works! 

0 Scenario to test the tradecraft and analytics - Op IRRITANT HORN 
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Op IRRITANT HORN 






Op IRRITANT HORN 
Does the tradecraft work? 



* Another Arab Spring (only this time, different countries) 

: Goal: identify aggregation points for the mobile networks in 
the countries of interest using the tradecraft developed during 
the workshops 

Did it work? YES -> the team was able to identify connections 
from the countries to application and vendor servers in non 5- 
Eyes countries 

So what? We found some servers.... 

0 Potential MiTM 
0 Effects 

0 Harvesting data at rest 
0 Harvesting data in transit 
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Finding mobile application & 




► li H * ? 



vendor update servers 




Gy lb < 5 ^ B 100% 



T C Init Geolocation and Network Information (ATLAS): Date Range. IP Range Reverse DNS (D/ NAUS): IP Range 






IP ir put 



lV 



RowNomaliser 



4 






T 



Bitterness 



Filter rows 



Select valueslP*IP Communication Summaries (HYPERION): Date Range. IP Range 



T radecraft Navigator Output 
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Finding mobile application & 
vendor update servers 



► II U t{ ? Hr ts <£. ©< M 100% 




f ranee 


android-market . 1 . google . com 


f ranee 


android-market . 1 . google . com 


f ranee 


android-market . 1 . google . com 


f ranee 


android-market . 1 . google . com 


f ranee 


android-market . 1 . google . com 


Cuba 


store . cubava . cu 


Cuba 


store . cubava . cu 


Senegal 

1 


srv applis . sar . sn 


morocco 


boungeontelephone . com 


Switzerland 


download-force . com 


bahamas 


supportapple . com 


cuba 


store . cubava . cu 


netherlands 


mobile . ero-advertising . com 


russia 


lady .mar ketgid. info 
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Identify Servers communicating with a Mobile network 

Page Discussion 



History / Edit 









OntologyNetwork block, Ontologylp address Oulput(s): 



Ontologylp address, OntologyASN, 
OntologyNetwork block. Onto logyHostname, 
Ontologyllser Agent Stnng. 
OntologyGeographic selector 



Identify Servers communicating with a Mobile network 



Invokes Tradecraft: 



• Find public IP space used byMobile Devices and Related Servers on the Internet 

• Finding Mobile Internet Gateways 



5 EYES CSEC DSD GCHQ GCSB NSA Factbox 

O 

Metadata 



Alternatives: 



• Identify Servers communicating with a Mobile network 



What does the tradecraft achieve? 

• This tradecraft will provide a list of servers that have been seen communicating with a mobile network 



In what situations would this tradecraft be most useful? 



• To identifymobile application servers for a specific network 

• To identifyany server that maybe useful forcollection purposes 



Describe any problems .caveats or things to watch out for 

• The list ofseivers returned depends on the the IP range and collection sources utilized Success of this tradecraft may require additional 
research to identify other IP ranges or requesting other agencies to check their collection to identify different servers 



Links that can help you to implement this tradecraft 



Created by: 
Agency: 

Email Address: 




Difficulty: & ^ & 



Acceptance 

state: 



Limited 



Input(s): 



Ontologylp address. OntologyASN, 

_ . OntologyNetwork block. OntologyHostname, 

Ontology Network block, Ontologylp address Output(s): 

OntologyUser Agent String. 
OntologyGeographic selector 



Invokes Tradecraft: 



• Find public IP space used byMobile Devices and Related Servers on the Internet 

• Finding Mobile Internet Gateways 



5 EYES Tradecraft Steps (document 



ools) 



The IPranges utilized for the initial implementation of ttiis tradecraft were the Inter PLMfJ Backbone IP ranges obtained from IR21 documents For 
other methods of identifying mobile IP blocks, see the invoked tradecraft listed above 

Step1)Take IPranges or individual addresses identified as being related to mobile network communications 

Step 2) Obtain geolocation information and network ownership information for each IP address This should include Network Owner name 
Carner name. ASN. Continent. Country. Region. City. LatLong. and anyother related details that your system can obtain 
Step 3) Obtain Internet communication events related to the IP addresses These events should minim ally indude source information. To 
IP. From IP. TCP Direction, and HTTP User-Agent 

Step 4) Sort the results and dedup them This step depends on your collection sources 

Step 5) Filter out server communications that have user -agents that aren't useful Further analysis is needed to identify the non-useful 
user-agents (Cheatsheet needed) Ex friendly-scanner 
Step6) Check the TCPDiredion field 

• If Server to Client, grab the From IP information 

• If Client to Server, grab the To IP information 

• If Serverto Server, grab both the To and From IPinformabon 

• If Unknown, capture in an error log 

Step 7 ) Sort and dedup again based on Server IP information TCP Direction info is no longer needed 

Step 8) Obtain geolocabon mformabon and network ownership information for each Server IP This is done for the servers that were notin 
the original IP Blocks 

Step9) Remove any servers that are not useful This may include 5-Eyes servers 
Step 10) Output 

• List of Servers 

• List of related User Agents 

• List of related hostnames 



**• Comments (2)| Show comments 



Category Tradecraft 



Average article quality based on 1 ratings ) Q 



U*f ifrdi.’ed 24/2/2012 C,| 



CRAFTY SHACK • It's not tradecraft until it's documented! - CSEC" (edit] 
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Identifying servers 
communicating with an MNO 




Mice 




Remove diuplicatefjormaliser SrclP Dst)F^ elec,Va,ues Lookup StreanN^Efwichment Found Link iuffer 






Demux Enriched? Distribute Lookup DsdP Enrichment Bob TDI Online Events (PEITHO) 



ATLAS Geo and Network Info 



Dedup 



ATLAS Geo ai 



)alues2 Unique rows Is Serve^ Client? Ts'tiK^pt irServer? Initial IP and delete extras US - friendly-scanner 




Is User A4>MtfrienaHtjscanner? 



Combine Copy data Unknown_Direcbon 



I 



Ip — 

Sort U/j Blocks Unique ( ft Blocks 



5-Eye places 



iggy 



Select values 3 UserAgentData 



Sort rows 2 Uiuflue rows 



n — [> 



Servers with Host Unique . 



M — 



convert create dash conci 



1*4 

GoogleEarth 



j bnate 



c ws 2 



Servers 
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convert 2 Reverse DNS (DANAUS) IP Range 


















Profiling mobile application 

servers 




This tradecraft will accept a CSV file of known apps server hostnames. R will then perform reverse DNS 
queries to obtain the IP addresses of the apps servers. With the IP addresses, geolocation and 
network provider queries will be performed on all app server IP addresses. The IP addresses are 
then used to search for TD1 events associated with those IP addresses. The result is a list of the apps 
servers with IP addresses, geolocation and provider details, as well as TDI events seen connecting 
to those apps servers. The TDI events are also queried to determine their geolocation and provider 
details. 
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i £*t tyc* Hqtwy gookmwta Iooh £jdp 
10 C 'i' Q httpy/m« 9 n«to utfrnc J 

MmtVfttttJ M NTATWikn 5* XWYSCOW •- CS(lr«c»Wfc Cf 0 U GCMQ W*, ft MSA Wto U DSO W*. GCSIWU OUCTY SHACK . HAC Tom, lyUtaul ■ KOVKfQK u 

| 0 Cmtbir- X Coot«- y CSS- _*i fonrn- Q lm*9«- U Wcrmabon- Q MncdUnccui- Ouftnr- A Rena- V’ Took- VmSwcr JL Opbons- 
.*< Af^pved F«9*«ponU > yswth Surtk SfMUl X 



1 splunk 



Gk>bj»Co<~m Horn* 0 Pl**0 MASTERSHfctt eiAflNG SADOUS Q Spfjrii 



fi 0 © 

^ o ✓ 



Aitm«uitt*K» 4po • Vtit^ 



Summary Watch tUI«» • Ouanboarda 4 V*w» . iMdWI tlW^OIIl 



c<-‘! • \ \Splur.«\>.n;A:® 




q q muQ 



tea* ’ 1 Mr • 1 mMMcend 



M ntcxabng f*Sd» 



Ca«*.Cocntry 

• C«rl_Cv»W 

C 9 vr*V 



I Ocn< 




4 b<x 4 £t«vouj a Mafjh 



O -a 
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Field discovery is:E 

|<i Hide 

2 selected fields 

a HTTP_User_Agent [ l o 
« source 1 > 

38 interesting fields 

a Application < 1 

# ASM 1 4 , 

a Carrier 4 » 
a Case_Notation 1 1 
a City 5/ 

# Chent_ASN(1) 

a Cbent_Carrier 1) 
a Chent_City • I ) 

« Chent_Country 1 1 
a Cbent_Digraph ( 1 ) 
a Client_P_Range i 



* Client_Owner 1 

0 Country 4, 
o Digraph 4 
a host i 
a Hostname 3 
a HTTP_Via 1 1 
a Identifier (2100 
a index ( 1 ) 

Q IP 10 
a IP_From 1 1 



Profiling mobile application 



18 results over all time 

•= §1 ^ Options 

► Formatting options 



Nokia5310XpressMus 
WinWAP 3.2 Profile 
SAMSUNC-SCH-LI 70 .. 
SAMSUNG-SCH-F2S0 
SAMSUNG-SCH-D600. 
SAMSUNC-S3S00 1.0 
SAMSUNG-GT-S3653 
SAMSUNC-CT-E2 1 2 1 B 
SAMSUNC-GT-C3303.. 
SAMSUNG-GT-C301 0. 
SAMSUNG-GT-B32 1 0 
SAMSUNG-052 1 2 CS 
SAMSUNG-B5702 B57 
Opera 9 80 (S60; Sy 
Nokia6300 2 0 (06.01.. 
Nokia6233 2.0 (04.5.. 
LG-GU230 VIOi Obig 



ZTE-G-S2 1 3 WAP2 0 
.nfiguration CLDC-1 1 
.nfiguration CLDC-1.1 
nfiguration CLDC-1.1 
1.101 (GUI) MMP 2.0 
1.101 (GUI) MMP 2.0 
nfiguration CLDC-1 1 
nfiguration CLDC- 1.1 
1.101 (GUI) MMP 2.0 
nfiguration CLDC-1.1 
...1.101 (GUI) MMP 2.0 
nfiguration CLDC-1 .1 
nfiguration CLDC-1.1 
nfiguration CLDC-1.) 
.2.7.81 Version 1 1.00 
nfiguration CLDC-1.1 
.nfiguration CLDC-1.1 
.nfiguration CLDC-1.1 



Client_Owner (categorical) 

Appears in 100% of results 

Show only events with this field 
Select and show in results 

Values 

warid Congo 



servers 




Charts 

Top values by time 
Top values overall 

U % 
102 100 % 



Results based on mobile application 
servers seen in CSE collection 

We have a list of the most popular 
smartphones for Warid Congo 
customers and their IMSIs 




TOP SECRET//SI 






Success Stories 




UCWeb mobile browser identification 

* Discovered by GCHQ analyst during DSD workshop 

* Chinese mobile web browser - leaks IMSI, MSISDN, 
IMEI and device characteristics 
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(S//SI//REL TO USA, FVEY) The CONVERGENC^eanUielped discover an 
active commuw neloriginatiw 

wittUhe | 

|as they are known within th^^^^pierarchy area of responsibility is 
for covert activities in Europe, North America, and South America. The 
customer^////^leveraged a Convergence Discovery capability that 
enabled the discovery of a covert channel associated with smart phone 
browser activity in passive collection. The covert channel originates from 
users who use UC Browser (mobile phone compact web browser). The 
covert channel leaks th e IMSI MSISDN ' Device Character istics, and 
IMEI to server(s) inff^^^^^^J^^^^^^^^J^Initial 
investigation has determined thatperhap^nalware can be associated when 
the covert channel is established^/^^^^povert exfil activity identifies 
SIGINT opportunity where potentially none may have existed before. Target 
offices that have access to search within this type of 

traffic, hexed nn their IMSI nr IMFI tn determine ternet nrexenr.e 










UCWeb 



W Help 


Actions * 


Reports v View 7 @ Map View 




□ 


State 


ID 


Datetime - 


Highlights 


1 


□ 


1 


1 


2012-05-13 02:29:20 


Vi 


2 


□ 


_I 


2 


2012-05-13 06:00:59 


% 


3 


□ 


1 


4 


2012-05-13 19:39:11 


Vi 


4 


□ 




l 


2012-05-14 12:29:53 


% 


5 


□ 


1 


6 


2012-05-14 17:46:46 


Vi ft 


6 


□ 


1 


§ 


2012-05-1518:28:19 


Vi ft 


7 


□ 


a 


Z 


2012-05-15 20:02:5* 


Vi ft 



Datetime End 
2012-05-13 02:29:23 
2012-05-13 06:01:00 
2012-05-13 19:39:11 
2012-05-14 12:29:53 
2012-05-1417:46:46 
2012-05-1518:28:19 
2012-05-15 20:02:! 



Browser Version 
8.0.3.107 

8.0. 3.107 
7.9.3.103 

8.0. 4.121 
8.0.4.121 
8.0.4.121 
8.0.4.121 



Email Address 

B 123movies 
123movies 




Handset Model 

nokiae90-1 

nokiae90-1 

HTC A510e 

NokiaE72-1 

HokiaX6-00 

NokiaX6-00 

NokiaX6-00 




Platform 

java 

java 

android 

sis 

sis 

sis 

sis 



Active User/I Casenotation 

E9DHLOOOOOMOOOO 
E9DHL00000M0000 
E 9 B DE 00000 M 0000 
E9DHLOOOOOMOOOO 
H5H1 25221450000 
H5H1 25221450000 
H5H1252214500C 
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Vision of Success 




Shared convergence 
database with numerous 
different sources, 
methods & tradecraft 
feeding into it 

Ultimately correlating 
telephony and Internet 
TDIs with some degree 
of confidence 
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Synergising Network Analysis 

Tradecraft 



Network Tradecraft Advancement Team 

(NTAT) 




